feat: adopt dunite PSA-37 secret_env + PSA-42 acquire_concurrency_only; bump dunite dep #56

Merged

nrupard merged 2 commits from feat/bunyip-47-adopt-dunite-psa37-42 into main

2026-06-03 21:12:22 +02:00

nrupard commented

2026-06-03 21:06:16 +02:00

Owner

What

Bump the dunite git dependency from a35e84a (PSA-36) to current main (476aacd, through PSA-43), and adopt the two new dunite APIs that have a live site in bunyip.

secret_env (PSA-37)

dunite-core now owns the file-or-env secret reader (ported verbatim from this crate's original BUNYIP-38 implementation). Delete bunyip's local secret_env and its five unit tests from config.rs; re-export dunite_core::services::secret_env so the existing secret_env(...) / crate::config::secret_env(...) call sites resolve against the shared implementation. Semantics unchanged.

acquire_concurrency_only (PSA-42)

The manifest handler meters only tag-addressed requests, but because the coupled acquire was gated entirely behind should_meter, digest-addressed requests took no concurrency slot at all - so a multi-arch docker pull's by-digest platform-manifest follow-ups were unbounded. The non-metered (digest) path now takes a concurrency-only slot via limiter.acquire_concurrency_only, denying with TooManyRequests + audit "concurrency" on LimitDenial::Concurrency (DailyCap is unreachable! for that call). Tag-addressed requests keep the coupled acquire. This restores concurrent_manifests_per_user bounding on the request type a multi-arch pull emits most of, without metering it daily.

PSA-38 (DownloadCacheError::class) - deferred

No adoption site: bunyip has no member-download HTTP handler yet (only OCI/OIDC handlers), only a re-export of DownloadCacheError, so there is no hand-rolled match to replace. Deferred until that handler lands.

Verification

just check-container green: cargo fmt --all --check + cargo clippy --workspace --all-targets -- -D warnings + cargo test --workspace --lib (205 lib tests). The dunite changes pulled by the bump are additive or internal (PSA-35 was already adopted in bunyip PR #38), so no break.

#BUNYIP-47

## What Bump the dunite git dependency from `a35e84a` (PSA-36) to current main (`476aacd`, through PSA-43), and adopt the two new dunite APIs that have a live site in bunyip. ## secret_env (PSA-37) dunite-core now owns the file-or-env secret reader (ported verbatim from this crate's original BUNYIP-38 implementation). Delete bunyip's local `secret_env` and its five unit tests from `config.rs`; re-export `dunite_core::services::secret_env` so the existing `secret_env(...)` / `crate::config::secret_env(...)` call sites resolve against the shared implementation. Semantics unchanged. ## acquire_concurrency_only (PSA-42) The manifest handler meters only tag-addressed requests, but because the coupled `acquire` was gated entirely behind `should_meter`, digest-addressed requests took no concurrency slot at all - so a multi-arch `docker pull`'s by-digest platform-manifest follow-ups were unbounded. The non-metered (digest) path now takes a concurrency-only slot via `limiter.acquire_concurrency_only`, denying with `TooManyRequests` + audit `"concurrency"` on `LimitDenial::Concurrency` (`DailyCap` is `unreachable!` for that call). Tag-addressed requests keep the coupled `acquire`. This restores `concurrent_manifests_per_user` bounding on the request type a multi-arch pull emits most of, without metering it daily. ## PSA-38 (DownloadCacheError::class) - deferred No adoption site: bunyip has no member-download HTTP handler yet (only OCI/OIDC handlers), only a re-export of `DownloadCacheError`, so there is no hand-rolled match to replace. Deferred until that handler lands. ## Verification `just check-container` green: `cargo fmt --all --check` + `cargo clippy --workspace --all-targets -- -D warnings` + `cargo test --workspace --lib` (205 lib tests). The dunite changes pulled by the bump are additive or internal (PSA-35 was already adopted in bunyip PR #38), so no break. #BUNYIP-47

nrupard added 1 commit

2026-06-03 21:06:16 +02:00

feat: adopt dunite PSA-37 secret_env + PSA-42 acquire_concurrency_only; bump dunite dep

Check / fmt / clippy / build / test (pull_request) Successful in 1m41s

Details

d9e299fa57

Bump the dunite git dependency from a35e84a (PSA-36) to current main (476aacd, through PSA-43), then adopt the two new APIs that have a live site here.

secret_env (PSA-37): dunite-core now owns the file-or-env secret reader (ported verbatim from this crate's original). Delete bunyip's local `secret_env` and its five unit tests from config.rs and re-export `dunite_core::services::secret_env`, so the existing `secret_env(...)` and `crate::config::secret_env(...)` call sites resolve against the shared implementation with identical semantics.

acquire_concurrency_only (PSA-42): the manifest handler metered only tag-addressed requests but, because the coupled `acquire` was gated entirely behind `should_meter`, digest-addressed requests took no concurrency slot at all - so a multi-arch pull's by-digest platform-manifest follow-ups were unbounded. Take a concurrency-only slot for the non-metered (digest) path via `limiter.acquire_concurrency_only`, denying with TooManyRequests + audit "concurrency" on LimitDenial::Concurrency (DailyCap is unreachable for that call). Tag-addressed requests keep the coupled acquire. This restores concurrent_manifests_per_user bounding on the request type a multi-arch pull emits most of, without metering it daily.

PSA-38 (DownloadCacheError::class): no adoption site - bunyip has no member-download HTTP handler yet, only a re-export of the error type, so there is no hand-rolled match to replace. Deferred until that handler lands.

just check-container green: fmt + clippy -D warnings + cargo test --workspace --lib (205 lib tests).

#BUNYIP-47

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nrupard added 1 commit

2026-06-03 21:11:57 +02:00

refactor(oci): collapse always-Some concurrency guard to a plain UsageGuard (BUNYIP-47 review)

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Check / fmt / clippy / build / test (pull_request) Successful in 1m18s

Details

727ecb6de8

Code review: after PSA-42 adoption both manifest-handler branches take a concurrency slot (the digest path no longer yields None), so `_guard` was an always-Some Option. Collapse it to a plain guard so the "every request holds a slot" invariant is explicit, and drop the stale "metered path only; None is a no-op" comment on the release. No behavior change.

#BUNYIP-47

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>